Archive

A family friend’s Gmail account was recently hijacked. We noticed because we got strange e-mails from her asking for money so we called and told her what had happened. By the time she got around to check what was going on, she was locked out of her Gmail and her Facebook accounts. In the panic that followed her question was “what do I do”? My response was “Google it”. But then I realized that although there is plenty of forums where people ask for help because they are locked out of their accounts, there doesn’t seem to be many sites covering the fact that one account is seldom hacked in solitude and some basic help in what to do when your account(s) has(have) been compromised.

So, voila! I’ve set up a couple of pages in this blog that are primarily dedicated to help people who can no longer access their accounts for one of the general on-line service providers (Gmail, Facebook, Hotmail, Twitter, etc). If you can still access your account but someone is using it to send spam or such then you may still get some benefits from these pages, but I’d suggest you go to the help section of the service provider and find their instructions on what to do. Or simply change your password and the emergency verification questions that most service providers have.

On the other hand, if you can no longer access your account, then some serious trouble may be coming your way, so please read on.

Since the past “recession” of 2007, every now and then the mainstream financial news outlets mention that the price of gold is on a rise. There will, of course be an expert interviewed who will offer an opinion. Being novice to the “gold business” it is not easy to decide whether the person you listen to is trustworthy or not. And if you start researching the subject you will come across these very convincing sounding people with these “unorthodox” ideas about the current financial and political system and they will have their own, very strong opinions. In this kind of environment it is not easy to decide the angle of the different people you hear and their motives. So I have prepared this post, presenting what I believe to be the four archetypes of those who talk about gold in various media. These four archetypes are those who fall under the stigmatization of “conspiracy theorist”, the mainstream economic advisers, those who actually trade in precious metals and commodities on a daily basis and those who have a vested interest in you buying gold from them. Read more for a more detailed presentation of each archetype.Read more…

1. France 24, uses the word “Islamist” as synonym for terrorist and militant. Reuter refers to the “Real IRA” as a “Dissident group” yet arrests are made under the Terrorism Act.

2. What do the articles mention as consequences of terrorism? France 24: “Al-Qaeda in the Islamic Maghreb, has kidnapped several French citizens in recent years, some of whom have been ransomed and some killed. Four nuclear workers are still being held. … On April 28 bombers attacked a popular tourist cafe in the Moroccan city of Marrakesh, killing 17 people including eight French tourists”. Reuters: “99 viable bombs either exploded or were defused by army experts in the year to the end of March, compared with 50 a year ago. … At the beginning of April, a car bomb killed a 25 year-old Catholic constable. … [he] was the second Catholic officer to be murdered in two years, several more have been severely wounded or had narrow escapes. … As well as bombings there were 72 shooting incidents, 33 casualties resulting from paramilitary style shootings and 81 paramilitary style assaults.”

3. What about the arrests? France: “Six suspects were detained on Monday but the main target of the operation, an Indian national who recently arrived from Algeria, was taken on Tuesday”. Ireland: “Thursday’s police figures show that 188 people were arrested under the Terrorism Act, compared with 169 the year before. Those charged rose to 40 from 36. ”

With Chrome OS on the horizon, there has been a lot of blogging about whether client computers will become more secure. I would just like to take this opportunity to look at this question from an other, less discussed, angle – the angle that follows the data and not the computer that access the data.

Since Chrome OS is basically nothing more than a web-browser, it has been claimed that the client computers running it will become a lot more secure. I don’t necessarily dispute this claim but I want to highlight the real reason why this will be the case. Certainly, the less points of attack there are (i.e. the smaller the system), the less vulnerabilities there will be to exploit. But more importantly, the reason why Chrome OS based clients will be safer, will be that the data that is usually stored locally on PC’s will be stored somewhere in the Cloud. As such, it will become less appealing for criminals to find exploits to access data on the client computers.

And if the hackers will no longer care about client computers, where will they then be focusing their attention? That is right, to the Cloud. We are entering a whole new era of storing, processing and accessing of data. As such I would not be surprised if we see a whole new genre of exploits emerge – you know like buffer overflows for C or SQL injections for databases or XSS for websites. I’m quite certain that we will see a new generation of exploits emerge that are specific to Cloud solutions. I don’t know enough about Cloud architectures to know what these exploits will look like but I’m sure that the principle will be as basic and simple as the principles are for any of the exploit categories I just mentioned.

After all, if Google is sitting on all this data why on Earth would hackers keep writing exploits for client computers when most of them will contain limited amounts of useful information. Sure, the temptation of viruses that collect passwords and credit card details is still luring, but I think that the more hard-core hackers will follow the data, and if the data goes to Google, that is where the hackers will go. It just seems silly to spend time and energy to come up with remote exploits to gain access to local clients, when you can gain access to ALL the data stored by Google of ALL their users. Sure, it’s not going to be easy but after all, Chrome OS will be a (somewhat) trusted client connecting to the Google infrastructure – what else do you need as a starting point?

Furthermore, any exploits that do more then collect keystrokes or credit card numbers entered into a browser on a local computer will need to use the Google infrastructure to collect the user’s data from the Cloud. For example if a virus wants to get the address book of the victim to spread itself, it needs to get into the Gmail interface. So, it will need to communicate with the Cloud. And once it is communicating with the Cloud, why would it not take the next step and check out what else is stored in the Cloud under the user’s account. And if it is already there, why not try to escalate privileges and try to gain access to other people’s data? And while there, might as well see if there are any corporations storing data somewhere near… do you see?

So, sure, the Chrome OS clients will definitely be more secure then your average PC’s (even the ones with updated operating systems and virus scanners), but that does not necessarily mean that your data will be more safe. It just means that another attack vector has been added – that of the Cloud. More and more hackers will be drawn to try to exploit the Cloud infrastructure to gain access to several users’ data from within the cloud, circumventing any interaction from the user.

One of the arguments used to install more and more public surveillance equipment (besides the obvious “it’s for YOUR OWN safety”) is that if you have nothing to hide, you have nothing to fear. And after all, it’s not like the surveillance companies post all their recorded videos online for everyone to behold. No, only a few professional security guards have access to these feeds so that they can intervene if a “situation” arises.

NOT! That is a gross assumption. We think that it is a security guard monitoring the monitors, but do we actually know that for sure? Do we even know if there are any regulations regarding who gets to have access to all these video files and under what conditions? I don’t. We assume that there are licensed professional security personnel watching the screens, but it may very well be that in certain places nobody watches the screens – the images are simply recorded onto a computer (or videotape) and accessed by the police after you’ve been shot to find the guy/gal who shot you. But it may just as well be convicted pedophiles sitting there watching the screens. Think about it, if there are no regulations about who gets to supervise the surveillance footage and the surveillance companies need to save money, why not employ any hobo who is prepared to look at a couple of monitors all day for minimum wage?

But it may just as well be hackers or rapists looking at the video footage. Or… hang on… did he say “hackers”? Yes he did! Several years ago there was a Google hack whereby anyone could search for a specific term and Google would spit out a list of private security cameras installed all over the world accessible to everyone over the internet because the persons installing them did not activate the password features. So you could just click on a link and see the security footage of a parking lot outside a bar in Arkansas or something.

More recently, Kevin Finisterre, a security researcher was tasked to test the security of a city’s infrastructure and managed to hack a police vehicle’s on-board camera and microphone. Well, he didn’t even need to do much hacking, he just followed the instruction manuals of the systems (found on Google) and used the default passwords. He could see and hear the live feeds from cop cars and upload and download videos from the on-board computer (which, btw are admissible as evidence in a court of law).

So if the security of surveillance equipment used by the police are so easily circumvented what makes us think that the surveillance equipment used in taxis, public transportation vehicles, train stations, markets, malls, etc are any more secure?

But let’s leave security out of the equation for a moment. The point is that besides the licensed professionals and perverts I mentioned above, we also have hackers who can watch me do whatever I do in public areas such as: walk, talk, eat, shop, sneeze, yawn, scratch my privates, pick my nose, stare at a woman, stare at a man, kiss my wife, kiss my cousin. I’m quite certain there are others who do lot more embarrassing (maybe even illegal) things in public. With other words, we have a group of peeping-toms who, broadly speaking, are fascinated with “boobies”, who are convinced that all information should be made public, who have no quarrels about publishing a clip of their school-mate going to second base on the school-bus or publishing pictures of people scratching various parts of their bodies. And this group of people, with enough patience and conviction can access surveillance data from just about any public surveillance system in the world (and I haven’t even gotten into organized crime or terrorism)

And you tell me that I have nothing to fear if I have nothing to hide? Please! I will have nothing to fear when the surveillance providers go public with their recruitment and security procedures and their security audits. Then I will feel confident that me scratching my privates will not end up on dunces-scratching-their-asses.com or that my wife’s low-cut top won’t end up on boobwatch.xxx

That the Playstation Network was hacked is yesterday’s news. The extent of the hack, has to this date not been formally verified. Sony says my login details may have been compromised (makes me wonder if they kept the passwords in plain-text format) but say there is no proof my credit card details were stolen. Uhm… That just means they just haven’t found the proof yet!

This puts me in an awkward position. About two/three weeks ago I decided to un-hack my PSP, because I couldn’t access the Playstation store with the hacked OS to download additional music for my favorite game, Rock Band Unplugged. So, I installed the latest OFW, set up an account, and accessed the store through the game. I entered my credit card details and off I went paying and downloading.

But now, a legal ambiguity has arisen. (Speaking about Swedish legislation only – I know the burden of proof is different in other countries) I am supposed to report to my credit card company if anyone who is not supposed to have access to my card has had access to it. So, I should report to my card company that I was one of the people who had an account with Sony. But Sony hasn’t verified that hackers have had access to my credit card details, and no unauthorized purchases have been made. So there is only a possibility that it may happen in the future. So in theory I should report this. If I do, I have fulfilled my obligations, and if money gets taken of the card without my authorization, the card company has to prove that it was I who made the purchase which I claim I didn’t do. In Sweden, at least, that is the way it works.

So great, I report it. But now I need to check my credit card balance every day for unauthorized transactions… Yay! So, I probably want a new card. But the card company won’t give me a new card since there’s nothing wrong with my existing one (at least not yet)! DOH! I can always pay for a new one – uhm… really?

So to sum it up, Sony have made a big kerfuffle and if I don’t want to be stressing out about reporting unauthorized use of my card, I need to pay for a new card. Will Sony compensate me for that? Doubt it!

Thank you Sony! I’m your biggest fan!

— UPDATE

Turns out I’m not the only one with the same concern:

The legal action by a PSN user claims Sony did not do enough to protect the private data of its customers.

It also asks for compensation and for Sony to pay for credit card monitoring to spot if stolen details are being used fraudulently.

Came across an incredible site. Take a quick color shower with your breaths, take a moment to relax during your busy work-day, focus on your breathing to become conscious, breath together with people from all over the world. All this in a most beautifully done website. Here is what they say about themselves:

About Do As One The Goal: To serve and connect humanity by establishing a legacy of healthy, conscious breathing.

The Vision: One billion people will breathe together synchronously by November 11, 2012.

The Method: To share techniques for daily, optimal breathing and enable global, synchronous breathing through DoAsOne.com.

Following yesterdays post, here is another issue I found with XAMPP and Tikiwiki.

Synopsis: After installation of Tikiwiki 6.1 on a Vista machine using XAMPP Lite 1.7.3, The Tikiwiki groupware logo on top and bottom of the page were not displayed. When I tried to access the image through the browser (localhost/xampp/tiki-[version]/img/tiki/Tiki_WCG.png) I got a Server Error 500.

Workaround: This is definitely not a solution, but once again it is the .htaccess file that is screwing things up. Once it is removed from the localhost/xampp/tiki-[version]/img folder then the logos are displayed properly.